Our A to Z to help you expand your knowledge

The following is lightly-edited and redacted from the Sovrin Glossary V2, which is to date the most comprehensive and adaptable across contexts. Spherity is currently collaborating with other Decentralized Identity Foundation members to edit a more cross-platform version.



A software program or process used by or acting on behalf of an entity to interact with other agents or with distributed ledgers. Agents are of two types: Edge Agents run at the edge of the network on a local device; Cloud Agents run remotely on a server or cloud hosting service (or even in "serverless" cloud architectures). Agents require access to a wallet to perform cryptographic operations on behalf of the entity they represent.



An identity owner that is responsible for control of another entity—specifically the Private Keys needed to take actions on behalf of that entity. For example, a thing controller has a controller relationship with a thing.


A digital assertion containing a set of claims made by an entity about itself or another entity. Credentials are a subset of identity data. A credential is based on a credential definition. The entity described by the claims is called the Subject of the credential. The entity creating the credential is called the Issuer. The entity holding the issued credential is called the Holder. The entity to whom a credential is presented is generally called the relying party, and specifically called the Verifier if the credential is a Verifiable Credential.

Credential Offer

An Agent-to-Agent Protocol message type sent from an Issuer to a Holder to invite the Holder to send a Credential Request to the Issuer.

Credential Request

An Agent-to-Agent Protocol message type sent from a Holder to an Issuer to request the issuance of a Credential to that Holder.

Credential Exchange

A set of Interaction Patterns within an Agent-to-Agent Protocol for exchange of Credentials between Entities acting in Credential Exchange Roles.

Cryptographic Trust

Trust bestowed in a set of machines operating a set of cryptographic algorithms that they will behave as expected. This form of trust is based in mathematics and computer hardware/software engineering.


Decentralized Identifier (DID)

A globally unique identifier developed specifically for decentralized systems as defined by the W3C DID specification. DIDs enable interoperable decentralized Self-Sovereign Identity management. A DID is associated with exactly one DID Document.


Acronym for Decentralized Identifier.

DID Document

The machine-readable document to which a DID points as defined by the W3C DID specification. A DID document describes the Public Keys, Service Endpoints, and other metadata associated with a DID. A DID Document is associated with exactly one DID.

DID Method

A specification that defines a particular type of DID conforming to the W3C DID specification. A DID Method specifies both the format of the particular type of DID as well as the set of operations for creating, reading, updating, and deleting (revoking) it. DID Methods are registered with the W3C to facilitate cross-network resolution by the "Universal Resolver" and its derivatives, which facilitates protocol-level interoperability between all compliant platforms and their methods.

DID Resolver

A software module that takes a DID as input and returns a DID document by invoking the DID Method used by that particular DID. Analogous to the function of a DNS resolver.

DID Subject

The Entity identified by a DID.


As used in IETF RFC 3986, Uniform Resource Identifier (URI), a resource of any kind that can be uniquely and independently identified.



A role played by an Entity when it is issued a Credential by an Issuer. The Holder may or may not be the Subject of the Credential. (There are many use cases in which the Holder is not the Subject, e.g., a birth certificate where the Subject is a baby and both the mother and father may be Holders.)

Human Trust

Trust bestowed in a set of humans (Individuals and/or Organizations) that they will behave as expected. This form of trust is based in human social, business, and legal relationships. Compare with Cryptographic Trust.



Information that enables a specific Entity to be distinguished from all others in a specific context. Identity may apply to any type of Entity, including Individuals, Organizations, and Things. Note that Legal Identity is only one form of Identity. Many technologies can provide Identity capabilities.

Identity Data

The set of data associated with an Identity that permits identification of the underlying Entity. In Self-Sovereign Identity, the sharing of Identity Data is under the control of the Identity Owner.

Identity Owner

This term refers to the subclassifications of an Entity that may be held legally accountable. Identity Owners includes Individuals and Organizations but do not include Things. The actual legal accountability of an Identity Owner for any particular action depends on many contextual factors including the laws of the applicable Jurisdiction, Guardianship, and so forth.


The act of one Entity assuming the Identity of another Entity, often for malicious purposes. Guardianship is not Impersonation because the Guardian is acting on behalf of and with the authorization of the Identity Owner, and is often legally knowable. Delegation is not Impersonation because the Delegate has a recognizable identity distinct from that of the Delegator.


A natural person. Mutually exclusive with Organization.


The Entity that issues a Credential to a Holder. Based on the definition provided by the W3C Verifiable Claims Working Group.


Key Recovery

The process of recovering access to and control of a set of Private Keys—or an entire Wallet—after loss or compromise. Key Recovery is a major focus of the emerging DKMS standard for cryptographic key management.



A legal Entity that is not a natural person (i.e., not an Individual). Examples of Organizations include a Group, sole proprietorship, partnership, corporation, LLC, association, NGO, cooperative, government, etc. Mutually exclusive with Individual.



A transfer of cryptographically verifiable units of value from one Entity to another Entity.

Private Data

Data over which an Entity exerts access control. Private Data may be stored by an Agent in a Wallet or Vault or other secure location. Mutually exclusive with Public Data.

Private Key

The half of a cryptographic key pair designed to be kept as the Private Data of an Entity. In elliptic curve cryptography, a Private Key is called a signing key.


Cryptographic verification of a Claim or a Credential. A digital signature is a simple form of Proof. A cryptographic hash is also a form of Proof.


A role played by an Entity when it generates a Zero Knowledge Proof from a Credential. The Prover is also the Holder of the Credential.

Proof Request

The data structure sent by a Verifier to a Holder that describes the Proof required by the Verifier.

Public Data

Data over which an Entity does not exert access control—it is publicly available to be read by anyone. Mutually exclusive with Private Data.

Public Key

The half of a cryptographic key pair designed to be shared with other parties in order to decrypt or verify encrypted communications from an Entity. In digital signature schemes, a Public Key is also called a verification key. A Public Key may be either Public Data or Private Data depending on the policies of the Entity.


Recovery Key

A special Private Key used for purposes of recovering a Wallet after loss or compromise. In the DKMS key management protocol, a Recovery Key may be cryptographically sharded for secret sharing among multiple Trustees.


A software module that accepts an Identifier as input, looks up the Identifier in a database or ledger, and returns metadata describing the identified Entity. The Domain Name System (DNS) uses a DNS resolver. Self-Sovereign Identity uses a DID Resolver.


Self-Sovereign Identity

An identity system architecture based on the core principle that Identity Owners have the right to permanently control one or more Identifiers together with the usage of the associated Identity Data.

Sovereign Domain

The set of Agents, Wallets, Vaults, devices, services, and other digital resources over which an Identity Owner exercises sovereignty. Note that the actual sovereignty of the Identity Owner is limited to the degree such control is protected by the Developer of the hardware or software the Identity Owner is using.


Initialism for Self-Sovereign Identity.


The Entity whose Identifiers are asserted by DIDs and whose Attributes are asserted by Credentials. Aligns with the definitions provided by the W3C Credentials Community Group and W3C Verifiable Claims Working Group.



An Entity that is not an Individual or an Organization and thus cannot be held legally accountable. A Thing may be a Natural Thing or a Man-Made Thing. In Self-Sovereign Identity, a Thing is represented by an Agent that can form Connections, exchange Credentials, and communicate securely even if the Thing itself is not network-enabled. Mutually exclusive with Identity Owner.

To participate in an SSI ecosystem, every Thing must have a Thing Controller. NOTE: Not all objects are Things in the sense defined here. A Thing must be a uniquely identifiable Entity that is not fungible, i.e., not directly replaceable or exchangeable with another Thing.

Thing Controller

A Controller that controls the Identity Data, including the Private Keys, for a Thing. Every Thing must have a Thing Controller. The Thing Controller may or may not be the legal owner of the Thing, however the Thing Controller may still be legally responsible for actions Agent(s) take on behalf of the Thing.



A term used to describe cryptographically-protected secure storage that is outside a Wallet but still accessible to and/or managed by an Agent. A Vault may (but is not required to) contain a Wallet. A Vault is often used for secure storage of digital assets too large to fit into a Wallet, or to manage identities in batches and/or by quorum. Encryption and decryption of the contents of the Vault is usually performed by an Agent using Private Keys stored in a Wallet.

Verifiable Credential

A Credential that includes a Proof from the Issuer. Typically this proof is in the form of a digital signature. Based on the definition provided by the W3C Verifiable Claims Working Group.


An Entity who requests a Credential or Proof from a Holder and verifies it in order to make a trust decision about an Entity. Based on the definition provided by the W3C Verifiable Claims Working Group.



A software module, and optionally an associated hardware module, for securely storing and accessing Private Keys, Link Secrets, other sensitive cryptographic key material, and other Private Data used by an Entity. A Wallet is accessed by an Agent.